[Owasp-board] FW: Axfr on owasp.org

Laurence Casey larry.casey at owasp.org
Fri Nov 13 15:42:12 UTC 2009


------ Forwarded Message
From: Laurence Casey <larry.casey at aspectsecurity.com>
Date: Fri, 13 Nov 2009 10:36:48 -0500
To: Tom Brennan - OWASP <tomb at owasp.org>, David Campbell
<dcampbell at owasp.org>
Cc: Kate Hartmann <kate.hartmann at owasp.org>, Dinis <dinis at ddplus.net>, OWASP
Foundation Board List <owasp-board at lists.owasp.org>
Conversation: Axfr on owasp.org
Subject: Re: Axfr on owasp.org

Tom,

Thanks for pointing this out. I did discuss this with our 3rd party DNS
provider and they refused to turn off zone transfers a month ago. Going
third party does not guarantee a secure environment, in fact the opposite is
more likely.

As for allowing zone transfers, I don¹t think it¹s embarrassing at all.
Using DNS as a security mechanism would be more embarrassing. We have
nothing to hide in our DNS configuration. I do agree that not allowing them
would be better, but in this case, my hands are tied as the provider is not
budging.

--Larry


On 11/13/09 7:52 AM, "Tom Brennan - OWASP" <tomb at owasp.org> wrote:

> Dave, 
> 
> Jabra reported this over a month ago discussed with Jeff Williams - this is
> another reason to move to a 3rd party hosting solution.
> 
> 
> 
> On Thu, Nov 12, 2009 at 4:43 PM, David Campbell <dcampbell at owasp.org> wrote:
>> Hey speaker in this talk just mentioned that owasp.org <http://owasp.org>
>> permits zone xfers.
>> 
>> Can you get that disabled?  Pretty embarrasing
>> 
>> Dc
>> 
> 
> 

------ End of Forwarded Message

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091113/aba852b1/attachment-0002.html>


More information about the Owasp-board mailing list